From x, 6 Months ago, written in Plain Text.
This paste will go to meet its maker in 1 Second.
Embed
  1. ####################
  2. # Purge/Flush      #
  3. ####################
  4. flush ruleset
  5.  
  6. #define admin = { 12.34.56.78/29, 10.11.12.0/8, 172.16.1.0/16 }
  7. #define google_dns = { 8.8.8.8, 8.8.4.4 }
  8. #define mailout = { 127.0.0.1 }
  9.  
  10. #########################
  11. # Incoming IPv4-Traffic #
  12. #########################
  13. table ip filter {      
  14.    chain input {               
  15.       type filter hook input priority 0; policy drop;
  16.  
  17.       # drop all bad actors before we do rel/est
  18.       ip saddr @blackhole drop
  19.  
  20.       # Allow packets to established/related connections
  21.       ct state established,related accept
  22.  
  23.       # Drop invalid connections
  24.       ct state invalid drop    
  25.      
  26.       # Allow loopback interface               
  27.       iif lo accept
  28.  
  29.       # if the connection is NEW and is not SYN then drop
  30.       tcp flags != syn ct state new log prefix "FIRST PACKET IS NOT SYN" drop
  31.  
  32.       # new and sending FIN the connection? DROP!
  33.       tcp flags & (fin|syn) == (fin|syn) log prefix "SCANNER1" drop
  34.  
  35.       # i don't think we've met but you're sending a reset?
  36.       tcp flags & (syn|rst) == (syn|rst) log prefix "SCANNER2" drop
  37.  
  38.       # 0 attack?
  39.       tcp flags & (fin|syn|rst|psh|ack|urg) < (fin) log prefix "SCANNER3" drop
  40.  
  41.       # xmas attack. lights up everything
  42.       tcp flags & (fin|syn|rst|psh|ack|urg) == (fin|psh|urg) log prefix "SCANNER4" drop
  43.  
  44.       # if the ctstate is invalid
  45.       ct state invalid log flags all prefix "Invalid conntrack state: " counter drop
  46.  
  47.       # Allow ICMPv4: Ping requests | Error messages | Router selection messages
  48.       #ip protocol icmp icmp type { echo-request, echo-reply, destination-unreachable, time-exceeded, parameter-problem, router-solicitation, router-advertisement } accept
  49.  
  50.       # icmp for ipv4 connections
  51.         ip protocol icmp icmp type {
  52.             destination-unreachable, router-advertisement,
  53.             time-exceeded, parameter-problem
  54.         } limit rate 100/second accept
  55.  
  56.         # otherwise we drop, drop, drop
  57.         #
  58.         # when you are troubleshooting uncomment the next line.
  59.         # log prefix "Incoming packet dropped: "
  60.  
  61.       # Reject other packets
  62.       # ip protocol tcp reject with tcp reset
  63.    }
  64. #########################
  65. # Forward IPv4-Traffic  #
  66. #########################
  67.    chain forward {             
  68.       type filter hook forward priority 0; policy drop;        
  69.    }
  70. #########################
  71. # Outgoing IPv4-Traffic #
  72. #########################
  73.    chain output {              
  74.       type filter hook output priority 0; policy accept;
  75.                
  76.       # Allow loopback interface               
  77.       oif lo accept
  78.  
  79.        # allow DNS request if they are not to Google's DNS
  80.        # i think this would qualify as torture, but I
  81.        # have never claimed this set to be technically
  82.        # or morraly sound.
  83.        #udp dport 53 ip daddr 192.168.200.1 accept
  84.        #tcp dport 53 ip daddr 192.168.200.1 accept
  85.  
  86.        #udp dport 853 ip daddr 192.168.200.1 accept
  87.        #tcp dport 853 ip daddr 192.168.200.1 accept    
  88.        
  89.        # allow dhcp
  90.        udp dport 67 accept
  91.  
  92.        # youtube needs this for tracking where you are in the video... weird.
  93.        #udp dport 443 accept
  94.  
  95.        # mail, really? are you malwa... -uhm- mailware!
  96.        #tcp dport {25} ip daddr != $mailout log prefix "SPAMALERT!" drop
  97.  
  98.        # Deny Port 80
  99.        tcp dport {80} drop
  100.  
  101.        # allow web requests
  102.        tcp dport { https } ct state new accept
  103.  
  104.        # limit outgoing icmp type 8 traffic
  105.        ip protocol icmp icmp type echo-request limit rate 1/second log accept
  106.  
  107.         # log packet before it is dropped
  108.         #log flags all prefix "Outgoing packet dropped: "
  109.        
  110.    }
  111.  
  112.     set blackhole {
  113.         # blackhole ipset where we set the type of element as ipv4
  114.         type ipv4_addr
  115.         elements = { 255.255.255.255, 224.0.0.1, 224.0.0.251 }
  116.        
  117.         # we will set a timer on the element after which it is cleared
  118.         #flags timeout
  119.  
  120.         # the value of the timer
  121.         #timeout 1d
  122.     }
  123. }
  124.  
  125. ####################
  126. # IPv6             #
  127. ####################
  128. table ip6 filter {      
  129.    chain input {               
  130.       type filter hook input priority 0; policy drop;
  131.    }
  132.    chain forward {             
  133.       type filter hook forward priority 0; policy drop;        
  134.    }
  135.    chain output {              
  136.       type filter hook output priority 0; policy drop;  
  137.    }
  138. }
  139.